روش تصمیم گیری برای مدیریت بهره وری عملیاتی و خطر افشای اطلاعات در فرآیندهای بهداشت و درمان

This paper addresses two critical challenges faced by healthcare organizations: significant personnel shortages and mandates to safeguard patient safety and information security. We develop a two-stage decision making methodology to optimize the healthcare workflow task assignments and mitigate information disclosure risks. While the first stage throughput optimization formulation maximizes operational efficiencies, it can expose organizations to information disclosure risks that can be exploited to violate patient safety and information security. To address the ensuing privacy and fraud concerns we define task-based conflict sets to assess disclosure risks with optimal task assignments. In the second stage of the solution methodology, various security control strategies – task based and employee based – are incorporated into a decision support model to help decision makers to effectively manage and achieve workflow efficiency and meet information security requirements. For practical settings where certain parameters are not obtainable or the problem is computationally intractable, we provide a sequential-decision approach that could yield approximate partial solutions. We conduct an extensive computational analysis of a clinical workflow process to illustrate the practical benefits of the proposed methodology.

As healthcare costs continue to skyrocket, healthcare organizations are faced with the constant challenge of operating at reduced costs while delivering good quality of care and protecting patient privacy [1], [30] and [31]. However, the ability of these organizations to deliver effective and efficient patient care is currently hindered by two major factors: the current and growing shortage of healthcare professionals and the patient privacy concerns. On the one hand, staffing shortages across healthcare job types have caused emergency department overcrowding, reduced number of staffed beds to serve patients, delayed discharge and increased length of stay for patients, and decreased staff and patient satisfaction [1]. On the other hand, organizations are mandated to comply with a plethora of rules and regulations to ensure patient privacy [30] and [31]. Such rules and regulations are a natural consequence of concerns about healthcare organizations that routinely collect, manage and use sensitive personal, medical, and financial data on patients. While access to such data is crucial to deliver quality care and conduct clinical research, they may also be exploited for profit and enable a variety of criminal activities. For example, a former UCLA employee pleaded guilty to selling medical data of celebrities to tabloids [39]. In a series of related investigations, it was discovered that records of over 1000 patients were accessed inappropriately since 2003; 165 hospital employees were disciplined. Motivations for private data snooping may go beyond mere curiosity or selling data to tabloids. By collecting pieces of information about a person, a potential attacker can create a comprehensive profile of the target and use it later for identity theft, blackmail or other adverse activities. Regulations such as HIPAA (2002) [30] and HITECH (2009) [31] require healthcare organizations to implement policies and procedures to prevent and detect security violations related to patient safety and privacy. Such initiatives are in themselves not revenue generating activities but rather an additional cost for organizations. In light of staffing shortage, budget constraints, and an avalanche of evolving regulatory compliance requirements, healthcare organizations are driven to design and improve the operation efficiency and information security in their workflow systems. Despite large and diverse research on healthcare processes and information security, there is dearth of research addressing healthcare processes with the objective of achieving both the operational efficiency and meeting information security requirements. Research in healthcare informatics has focused on developing security mechanisms for electronic clinical record systems, while research in information security has focused on developing various technologies at microdata level or database access mechanisms to limit the disclosure of sensitive data [9], [14], [15], [16], [18], [21], [25] and [40]. One of the key challenges in the design of healthcare processes and other service-oriented environments is to achieve the goal of both providing efficient care and securing privacy information adequately [38] and [55]. We recognize this challenge and explicitly address it in our work. In this paper, we propose a decision methodology that minimizes the disclosure risk via a workflow system with optimal efficiency and a viable and effective control scheme for preventing information disclosure. This methodology encompasses a two-stage optimization formulation. At the first stage, it finds optimal staffing solutions for a workflow, in terms of minimum throughput time. At the second stage, it then selects the best combination of task and employee control placements for each of the optimal staffing assignments obtained from the first stage, in terms of acceptable control cost. We show that solving the two-stage problem results in an efficient and reasonably secure staff strategy. For applications where model parameterization is practically infeasible or the problem is computationally intractable, we provide a sequential-decision methodology that could yield efficient staffing solutions with minimum disclosure risk. We use a clinical workflow process to illustrate our methodology.

We have presented a decision making methodology for healthcare organizations to design and improve the operational efficiencies in work assignments and information security in the workflow systems. These are pressing challenges in the healthcare industry which is experiencing rising costs and significant shortages in human resources, and is faced with a plethora of rules and regulations to safeguard patient safety and information security. An important aspect of proposed decision making methodology is that it is practical in healthcare settings where it is often infeasible to objectively quantify the probability of information breach, precise cost implications of placing security controls, and financial consequences of information disclosure. The first stage of the solution methodology entails maximizing the workflow efficiency with available human resources by allocating tasks to employees with appropriate skill levels and who can execute appropriate tasks most effectively. While the first stage maximizes operational efficiencies, it can expose organizations to information disclosure risks that can be exploited to violate patient safety and information security. To address the ensuing privacy and fraud concerns we define task-based conflict sets to assess disclosure risks with optimal task assignments. In the second stage of the solution methodology, various task-based and employee-based security control strategies are incorporated into a decision support model to help decision makers to effectively manage and achieve workflow efficiency and meet information security requirements. An important finding from our extensive computational analysis is that while some security conflicts are theoretically possible, they are not practically relevant in specific workflow configurations. Thus our proposed methodology aids decision makers in identifying and focusing on particularly problematic security issues pertinent to the organization. A logical extension of our current work would focus on developing an iterative decision making approach that accommodates changes in staffing, workflow configurations, and security requirements. Explicitly modeling the possibility of collusion among employees is also a viable avenue for future research.